I actually worked with a hospice on tech issues in the last couple years, and I can tell you the attitude about security and IT in general was… less than progressive. They had better things to do. Literally. Hospice folks have a really rough job, emotionally and financially, providing a service that’s simply not properly supported by payers, whether private or public. They live on donations and posthumous gifts. They’re the soup kitchen of modern healthcare, providing a vital service that no one really wants to think about.

But pleading a charity case obviously didn’t work on HHS. The hammer continues to fall with increasing speed and strength in matters of ePHI security.

Yet again, this breach is the story of a lost, unencrypted laptop with patient information on board. It’s not clear whether the records were actually accessed or distributed, but that’s obviously irrelevant.

Community Health Centers and other smaller health providers: Pay attention. HHS is now bringing the penalty thunder down to breaches of less than 500 records. And the price is high, at $50K for just 441 records (theoretically) stolen in this case. Of course the HHS write-up points to lack of policies, no risk assessment, no controls over mobile devices, no encryption, and so on. It’s kind of a broken record now.

So consider this your last chance to get your HIPAA policies and procedures drafted and start making regular progress on improving security. The key is to show active interest and ongoing improvements. Do your risk assessment. Build your list of critical improvements. Do them. Keep records of what you’re doing.

This stuff takes staff time and cash money to buy some technology, which is always tough in nonprofit healthcare. So get these stories in front of your CEO right away if you’re not getting the resources you need. Alternatively, put them in front of your CFO — because a big enough breach could threaten the financial viability of the company.